From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6696415711607128064 X-Received: by 2002:adf:a509:: with SMTP id i9mr2322567wrb.269.1559560354725; Mon, 03 Jun 2019 04:12:34 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a1c:9c4f:: with SMTP id f76ls4313374wme.0.gmail; Mon, 03 Jun 2019 04:12:34 -0700 (PDT) X-Google-Smtp-Source: APXvYqzIDUVaMa0z172acDhGBG56z6slCWZNiPIVvbYPVk+9gCRpHQJRmb+dD+vKEcP1DeQTacsQ X-Received: by 2002:a1c:9616:: with SMTP id y22mr1895600wmd.73.1559560354267; Mon, 03 Jun 2019 04:12:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559560354; cv=none; d=google.com; s=arc-20160816; b=uUC5w4LENT0dWvayBg24VsH3O/sKCBPpSF67wiIOyiYd/QjNZYhqF3DlCB30JrcANK 2423+CeRIbd0Fk+FLXDw91DoJ9IBkGAyI1/6qOWQKV441yg7HOfe+a2et9Ligj7DzUvN vAxKig2eQdme5mTyOSHytJ427XOd/mc57iw/W4utzI0HAKNbnI3oiD/gSMp44gTyboin NHOC6jjaStAPmu41WrsoFfS75l5GFnJgIEFve3yL0ekGYF8t3RIV7nCA7jpHlw7sYNnh n/lQPZzZpZaCFXycbyyyTAPqM1ZH6Vyth0J5Jzc47ugn5m+S0YxCXV6lbxwZjER3w9dQ d95g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:to:from:date; bh=1sfVdriADlI8zKnGWQfNLnOrFXyyrp3hnjtslYhfWHw=; b=F8L/XdqXaPDiLpTQIh2+MgZIO7BebcFP48/VuQmGDcHf1h7AxqGicqa4AAXTcWyD28 t4GiVlw75N6crb30gc+0SAdDCKGIEhmxmm616Xo3xa9OIokHs8lZLTPtSj5MDqtBuhRX Ps02PRKZt7rht8/vgJEhmwzURaUNrsdpIHSWg2OhQxw4s35yEjfq3/UVdLmEKH2MK64C oCD6MRR8rmTGsPpla1caCDdkCWH6gGGfjEsWo0MPVCRYPKIcpcscLVeM4ZoNPKEOMMxs B4Hxu10z4h1eS0Fy5GNGpChGcM8wmsM8ikTlI4CB77Dy6c+ke+idm0LFxNuuBDib5shy 6ysA== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Return-Path: Received: from gecko.sbs.de (gecko.sbs.de. [194.138.37.40]) by gmr-mx.google.com with ESMTPS id x6si741469wmh.1.2019.06.03.04.12.34 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 03 Jun 2019 04:12:34 -0700 (PDT) Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.40 as permitted sender) client-ip=194.138.37.40; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by gecko.sbs.de (8.15.2/8.15.2) with ESMTPS id x53BCXsV004715 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Mon, 3 Jun 2019 13:12:33 +0200 Received: from md1za8fc.ad001.siemens.net ([139.25.69.101]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id x53BCXQj017987 for ; Mon, 3 Jun 2019 13:12:33 +0200 Date: Mon, 3 Jun 2019 13:12:31 +0200 From: Henning Schild To: Subject: Re: [PATCHv2 1/2] meta/classes/image: Introduce sshd host key assertion Message-ID: <20190603131231.578a081d@md1za8fc.ad001.siemens.net> In-Reply-To: <20190603111100.20256-1-henning.schild@siemens.com> References: <20190603111100.20256-1-henning.schild@siemens.com> X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-TUID: DJ/vk6ZmpRd4 Change to v1: - use find instead of "ls *" to detect if there are any keys - reduce to just one if statement Henning Am Mon, 3 Jun 2019 13:10:59 +0200 schrieb Henning Schild : > From: Henning Schild > > Images containing ssh host keys without some way of dealing with the > fact that those have to be generate at run-time not install-time are > invalid! > > Introduce a check that our own package "sshd-regen-keys" is installed > when such keys are present (when an ssh daemon is installed). > > Suggest to install that package or find some other way of dealing with > the problem. But fail by default, since such an image is most likely > broken. > > Signed-off-by: Henning Schild > --- > meta/classes/image-postproc-extension.bbclass | 13 +++++++++++++ > 1 file changed, 13 insertions(+) > > diff --git a/meta/classes/image-postproc-extension.bbclass > b/meta/classes/image-postproc-extension.bbclass index > 625ba7d..f6ed793 100644 --- > a/meta/classes/image-postproc-extension.bbclass +++ > b/meta/classes/image-postproc-extension.bbclass @@ -44,3 +44,16 @@ > image_postprocess_mark() { update_etc_os_release \ > --build-id "${BUILD_ID}" --variant "${DESCRIPTION}" > } > + > +ROOTFS_POSTPROCESS_COMMAND =+ "image_postprocess_sshd_key_regen" > + > +image_postprocess_sshd_key_regen() { > + nhkeys=$( find ${IMAGE_ROOTFS}/etc/ssh/ -iname "ssh_host_*key*" > -printf '.' | wc -c ) > + if [ $nhkeys -ne 0 -a ! -d > ${IMAGE_ROOTFS}/usr/share/doc/sshd-regen-keys ]; then > + bbwarn "Looks like you have ssh host keys in the image but > did "\ > + "not install \"sshd-regen-keys\". This image should > not be "\ > + "deployed more than once." > + bberror "Install the package or forcefully remove this check!" > + exit 1 > + fi > +}